[FS#1312] opkg update is not using SSL

[LEDE Bugs]

A new Flyspray task has been opened.  Details are below. 

User who did this - Tim Harper (timcharper) 

Attached to Project - OpenWrt/LEDE Project
Summary - opkg update is not using SSL
Task Type - Bug Report
Category - Packages
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Very Low
Reported Version - lede-17.01
Due in Version - Undecided
Due Date - Undecided
Details - When I log in to my router and run opkg update, I see that it is using http and not https.

This means I am more vulnerable to man-in-the-middle attacks. I would feel better if at least the packages.gz were ssl (and sha-sums were checked)


root at LEDE:~# opkg update
Downloading http://downloads.lede-project.org/releases/17.01.4/targets/mvebu/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_core
Downloading http://downloads.lede-project.org/releases/17.01.4/targets/mvebu/generic/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/base/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_base
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/base/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_luci
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/luci/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_packages
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_routing
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/routing/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_telephony
Downloading http://downloads.lede-project.org/releases/17.01.4/packages/arm_cortex-a9_vfpv3/telephony/Packages.sig
Signature check passed.


More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1312